Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2008-2327

Multiple buffer underflows in the (1) LZWDecode, (2) LZWDecodeCompat, and (3) LZWDecodeVector functions in tif_lzw.c in the LZW decoder in LibTIFF 3.8.2 and earlier allow context-dependent attackers to execute arbitrary code via a crafted TIFF file, related to improper handling of the CODE_CLEAR code.

Published

2008-08-27T20:41:00.000

Last Modified

2025-04-09T00:30:58.490

Status

Deferred

Source

[email protected]

Severity

CVSSv2: 6.8 (MEDIUM)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:P/I:P/A:P

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: PARTIAL

Exploitability Score

8.6

Impact Score

6.4

Weaknesses

Type: Primary
CWE-119

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	libtiff	libtiff	≤ 3.8.2	Yes
Application	libtiff	libtiff	3.4	Yes
Application	libtiff	libtiff	3.5.1	Yes
Application	libtiff	libtiff	3.5.2	Yes
Application	libtiff	libtiff	3.5.3	Yes
Application	libtiff	libtiff	3.5.4	Yes
Application	libtiff	libtiff	3.5.5	Yes
Application	libtiff	libtiff	3.5.6	Yes
Application	libtiff	libtiff	3.5.7	Yes
Application	libtiff	libtiff	3.6.0	Yes
Application	libtiff	libtiff	3.6.1	Yes
Application	libtiff	libtiff	3.7.0	Yes
Application	libtiff	libtiff	3.7.1	Yes
Application	libtiff	libtiff	3.8.0	Yes
Application	libtiff	libtiff	3.8.1	Yes

References

http://bugs.gentoo.org/show_bug.cgi?id=234080 ([email protected])
http://lists.apple.com/archives/security-announce//2008/Nov/msg00001.html ([email protected])
http://lists.apple.com/archives/security-announce//2008/Sep/msg00005.html ([email protected])
http://lists.apple.com/archives/security-announce/2008/Nov/msg00002.html ([email protected])
http://lists.opensuse.org/opensuse-security-announce/2008-09/msg00004.html ([email protected])
http://secunia.com/advisories/31610 Vendor Advisory ([email protected])
http://secunia.com/advisories/31623 Vendor Advisory ([email protected])
http://secunia.com/advisories/31668 Vendor Advisory ([email protected])
http://secunia.com/advisories/31670 Vendor Advisory ([email protected])
http://secunia.com/advisories/31698 Vendor Advisory ([email protected])
http://secunia.com/advisories/31838 Vendor Advisory ([email protected])
http://secunia.com/advisories/31882 Vendor Advisory ([email protected])
http://secunia.com/advisories/31982 ([email protected])
http://secunia.com/advisories/32706 ([email protected])
http://secunia.com/advisories/32756 Vendor Advisory ([email protected])
http://security-tracker.debian.net/tracker/CVE-2008-2327 ([email protected])
http://security-tracker.debian.net/tracker/DSA-1632-1 ([email protected])
http://security-tracker.debian.net/tracker/DTSA-160-1 ([email protected])
http://security.gentoo.org/glsa/glsa-200809-07.xml ([email protected])
http://sunsolve.sun.com/search/document.do?assetkey=1-26-265030-1 ([email protected])
http://support.apple.com/kb/HT3276 ([email protected])
http://support.apple.com/kb/HT3298 ([email protected])
http://support.apple.com/kb/HT3318 ([email protected])
http://www.debian.org/security/2008/dsa-1632 Patch ([email protected])
http://www.mandriva.com/security/advisories?name=MDVSA-2008:184 ([email protected])
http://www.redhat.com/support/errata/RHSA-2008-0847.html ([email protected])
http://www.redhat.com/support/errata/RHSA-2008-0848.html Vendor Advisory ([email protected])
http://www.redhat.com/support/errata/RHSA-2008-0863.html Vendor Advisory ([email protected])
http://www.securityfocus.com/archive/1/496033/100/0/threaded ([email protected])
http://www.securityfocus.com/archive/1/497962/100/0/threaded ([email protected])
http://www.securityfocus.com/bid/30832 ([email protected])
http://www.securitytracker.com/id?1020750 ([email protected])
http://www.ubuntu.com/usn/usn-639-1 ([email protected])
http://www.us-cert.gov/cas/techalerts/TA08-260A.html US Government Resource ([email protected])
http://www.vmware.com/security/advisories/VMSA-2008-0017.html ([email protected])
http://www.vupen.com/english/advisories/2008/2438 Vendor Advisory ([email protected])
http://www.vupen.com/english/advisories/2008/2584 Vendor Advisory ([email protected])
http://www.vupen.com/english/advisories/2008/2776 Vendor Advisory ([email protected])
http://www.vupen.com/english/advisories/2008/2971 Vendor Advisory ([email protected])
http://www.vupen.com/english/advisories/2008/3107 Vendor Advisory ([email protected])
http://www.vupen.com/english/advisories/2008/3232 ([email protected])
http://www.vupen.com/english/advisories/2009/2143 Vendor Advisory ([email protected])
https://bugzilla.redhat.com/show_bug.cgi?id=458674 ([email protected])
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11489 ([email protected])
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5514 ([email protected])
https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00102.html ([email protected])
https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00121.html ([email protected])
http://bugs.gentoo.org/show_bug.cgi?id=234080 (af854a3a-2127-422b-91ae-364da2661108)
http://lists.apple.com/archives/security-announce//2008/Nov/msg00001.html (af854a3a-2127-422b-91ae-364da2661108)
http://lists.apple.com/archives/security-announce//2008/Sep/msg00005.html (af854a3a-2127-422b-91ae-364da2661108)
http://lists.apple.com/archives/security-announce/2008/Nov/msg00002.html (af854a3a-2127-422b-91ae-364da2661108)
http://lists.opensuse.org/opensuse-security-announce/2008-09/msg00004.html (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/31610 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/31623 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/31668 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/31670 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/31698 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/31838 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/31882 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/31982 (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/32706 (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/32756 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://security-tracker.debian.net/tracker/CVE-2008-2327 (af854a3a-2127-422b-91ae-364da2661108)
http://security-tracker.debian.net/tracker/DSA-1632-1 (af854a3a-2127-422b-91ae-364da2661108)
http://security-tracker.debian.net/tracker/DTSA-160-1 (af854a3a-2127-422b-91ae-364da2661108)
http://security.gentoo.org/glsa/glsa-200809-07.xml (af854a3a-2127-422b-91ae-364da2661108)
http://sunsolve.sun.com/search/document.do?assetkey=1-26-265030-1 (af854a3a-2127-422b-91ae-364da2661108)
http://support.apple.com/kb/HT3276 (af854a3a-2127-422b-91ae-364da2661108)
http://support.apple.com/kb/HT3298 (af854a3a-2127-422b-91ae-364da2661108)
http://support.apple.com/kb/HT3318 (af854a3a-2127-422b-91ae-364da2661108)
http://www.debian.org/security/2008/dsa-1632 Patch (af854a3a-2127-422b-91ae-364da2661108)
http://www.mandriva.com/security/advisories?name=MDVSA-2008:184 (af854a3a-2127-422b-91ae-364da2661108)
http://www.redhat.com/support/errata/RHSA-2008-0847.html (af854a3a-2127-422b-91ae-364da2661108)
http://www.redhat.com/support/errata/RHSA-2008-0848.html Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.redhat.com/support/errata/RHSA-2008-0863.html Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/archive/1/496033/100/0/threaded (af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/archive/1/497962/100/0/threaded (af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/bid/30832 (af854a3a-2127-422b-91ae-364da2661108)
http://www.securitytracker.com/id?1020750 (af854a3a-2127-422b-91ae-364da2661108)
http://www.ubuntu.com/usn/usn-639-1 (af854a3a-2127-422b-91ae-364da2661108)
http://www.us-cert.gov/cas/techalerts/TA08-260A.html US Government Resource (af854a3a-2127-422b-91ae-364da2661108)
http://www.vmware.com/security/advisories/VMSA-2008-0017.html (af854a3a-2127-422b-91ae-364da2661108)
http://www.vupen.com/english/advisories/2008/2438 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.vupen.com/english/advisories/2008/2584 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.vupen.com/english/advisories/2008/2776 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.vupen.com/english/advisories/2008/2971 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.vupen.com/english/advisories/2008/3107 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.vupen.com/english/advisories/2008/3232 (af854a3a-2127-422b-91ae-364da2661108)
http://www.vupen.com/english/advisories/2009/2143 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://bugzilla.redhat.com/show_bug.cgi?id=458674 (af854a3a-2127-422b-91ae-364da2661108)
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11489 (af854a3a-2127-422b-91ae-364da2661108)
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5514 (af854a3a-2127-422b-91ae-364da2661108)
https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00102.html (af854a3a-2127-422b-91ae-364da2661108)
https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00121.html (af854a3a-2127-422b-91ae-364da2661108)